Splunk Search

Which is a faster search strategy for filters on multiple columns?

sjanwity
Communicator

I have a table which returns multiple columns and I want to implement a text filter on each of these columns. Currently I'm doing:

| search columnA="$a$"
| search columnB="$b$"
| search columnC="$c$"

But I'm wondering if it's quicker to simply do multiple AND statements on 1 search? Is there an even quicker method?

0 Karma
1 Solution

jeremiahc4
Builder

doing all three in the same search inherently does an AND in between them

columnA="$a$" columnB="$b$" columnC="$c$"

is the same as

columnA="$a$" AND columnB="$b$" AND columnC="$c$"

View solution in original post

skawasaki_splun
Splunk Employee
Splunk Employee

If you want to test and see for yourself, then inspect the job and look how long both searches took. See if you can find a good sized data (don't try to compare searches that finish within, say, 5 seconds since that's too fast).

jeremiahc4
Builder

doing all three in the same search inherently does an AND in between them

columnA="$a$" columnB="$b$" columnC="$c$"

is the same as

columnA="$a$" AND columnB="$b$" AND columnC="$c$"

jeremiahc4
Builder

I believe it does narrow the search results with each one via a map & reduce function. Johnathon Cervelli described this stuff to me in a SplunkLive a few years back and I believe it does a search where it finds the first term (map), then using that subset (reduce) it performs a search with the second term (map) and narrows the field down further (reduce), then repeats for each term. The one way to slow it down is to put it all in quotes where it then has to do a couple additional searches to ensure the terms are in order specified in your quotes.

...edit - oops, I meant for this to be a reply to your last message

sjanwity
Communicator

I was hoping that piping the searches makes the search be performed only on the result of the previous search, potentially saving performance? Is there a better way then?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...